What types of threats should you be looking at?
From a security perspective, a threat is an act or condition that seeks to obtain, damage, or destroy an asset. Threats can be divided into three types: actual, conceptual, and inherent.
Actual threats are the crime and security incident history against an asset or at a facility which houses the assets. Actual threats are a quantitative element of a threat assessment.
Conceptual threats, on the other hand, exist by virtue of vulnerabilities around the asset or weaknesses in the security program which produce opportunities for crime to occur. Alternatively, conceptual threats may be identified based on crimes occurring in the area or against similar assets. Conceptual threats are a qualitative element of a threat assessment.
Examples of conceptual threats are…
1. assaults in dark, isolated areas of a college campus
2. burglaries of motor vehicles in unsecured mall parking lots
3. viruses on computers connected to the internet without anti-virus software, firewalls, etc.
Inherent Threats, in contrast, are threats which exist by virtue of the nature or characteristics of the assets in need of protection. In other words, the asset is a crime magnet or prone to loss, damage or destruction. Inherent threats are also a qualitative element of a threat assessment.
Examples of inherent threats are…
1. theft of jewelry
2. assaults in bars and nightclubs
3. hacking of a financial institution’s network to obtain customer information such as account numbers
Hopefully, this short primer is of value the next time you’re reviewing a security program. When assessing the threats to assets, it is important to consider all three types of threats.